Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb83eb93 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree, they are:

1) Remove obsolete nf_log tracing from nf_tables, from Florian Westphal.

2) Add support for map lookups to numgen, random and hash expressions,
   from Laura Garcia.

3) Allow to register nat hooks for iptables and nftables at the same
   time. Patchset from Florian Westpha.

4) Timeout support for rbtree sets.

5) ip6_rpfilter works needs interface for link-local addresses, from
   Vincent Bernat.

6) Add nf_ct_hook and nf_nat_hook structures and use them.

7) Do not drop packets on packets raceing to insert conntrack entries
   into hashes, this is particularly a problem in nfqueue setups.

8) Address fallout from xt_osf separation to nf_osf, patches
   from Florian Westphal and Fernando Mancera.

9) Remove reference to struct nft_af_info, which doesn't exist anymore.
   From Taehee Yoo.

This batch comes with is a conflict between 25fd386e ("netfilter:
core: add missing __rcu annotation") in your tree and 2c205dd3
("netfilter: add struct nf_nat_hook and use it") coming in this batch.
This conflict can be solved by leaving the __rcu tag on
__netfilter_net_init() - added by 25fd386e - and remove all code
related to nf_nat_decode_session_hook - which is gone after
2c205dd3, as described by:

diff --cc net/netfilter/core.c
index e0ae4aae96f5,206fb2c4c319..168af54db975
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@@ -611,7 -580,13 +611,8 @@@ const struct nf_conntrack_zone nf_ct_zo
  EXPORT_SYMBOL_GPL(nf_ct_zone_dflt);
  #endif /* CONFIG_NF_CONNTRACK */

- static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max)
 -#ifdef CONFIG_NF_NAT_NEEDED
 -void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
 -EXPORT_SYMBOL(nf_nat_decode_session_hook);
 -#endif
 -
+ static void __net_init
+ __netfilter_net_init(struct nf_hook_entries __rcu **e, int max)
  {
  	int h;

I can also merge your net-next tree into nf-next, solve the conflict and
resend the pull request if you prefer so.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7c08c41f 0c6bca74

include/linux/netfilter.h

+27 −7
Original line number Diff line number Diff line
@@ -67,7 +67,6 @@ struct nf_hook_ops { 
	struct net_device	*dev;

	void			*priv;

	u_int8_t		pf;

	bool			nat_hook;

	unsigned int		hooknum;

	/* Hooks are ordered in ascending priority. */

	int			priority;
@@ -321,18 +320,33 @@ int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, 
int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);



#include <net/flow.h>

extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);



struct nf_conn;

enum nf_nat_manip_type;

struct nlattr;

enum ip_conntrack_dir;



struct nf_nat_hook {

	int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,

			       const struct nlattr *attr);

	void (*decode_session)(struct sk_buff *skb, struct flowi *fl);

	unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,

				  enum nf_nat_manip_type mtype,

				  enum ip_conntrack_dir dir);

};



extern struct nf_nat_hook __rcu *nf_nat_hook;



static inline void

nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)

{

#ifdef CONFIG_NF_NAT_NEEDED

	void (*decodefn)(struct sk_buff *, struct flowi *);

	struct nf_nat_hook *nat_hook;



	rcu_read_lock();

	decodefn = rcu_dereference(nf_nat_decode_session_hook);

	if (decodefn)

		decodefn(skb, fl);

	nat_hook = rcu_dereference(nf_nat_hook);

	if (nat_hook->decode_session)

		nat_hook->decode_session(skb, fl);

	rcu_read_unlock();

#endif

}
@@ -374,13 +388,19 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 


extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;

void nf_ct_attach(struct sk_buff *, const struct sk_buff *);

extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;

#else

static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}

#endif



struct nf_conn;

enum ip_conntrack_info;



struct nf_ct_hook {

	int (*update)(struct net *net, struct sk_buff *skb);

	void (*destroy)(struct nf_conntrack *);

};

extern struct nf_ct_hook __rcu *nf_ct_hook;



struct nlattr;



struct nfnl_ct_hook {

include/linux/netfilter/nf_osf.h

+6 −0
Original line number Diff line number Diff line
@@ -21,6 +21,12 @@ enum osf_fmatch_states { 
	FMATCH_OPT_WRONG,

};



struct nf_osf_finger {

	struct rcu_head			rcu_head;

	struct list_head		finger_entry;

	struct nf_osf_user_finger	finger;

};



bool nf_osf_match(const struct sk_buff *skb, u_int8_t family,

		  int hooknum, struct net_device *in, struct net_device *out,

		  const struct nf_osf_info *info, struct net *net,

include/net/netfilter/nf_nat.h

+4 −0
Original line number Diff line number Diff line
@@ -75,4 +75,8 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum, 
#endif

}



int nf_nat_register_fn(struct net *net, const struct nf_hook_ops *ops,

		       const struct nf_hook_ops *nat_ops, unsigned int ops_count);

void nf_nat_unregister_fn(struct net *net, const struct nf_hook_ops *ops,

			  unsigned int ops_count);

#endif

include/net/netfilter/nf_nat_core.h

+4 −7
Original line number Diff line number Diff line
@@ -11,6 +11,10 @@ 
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,

			   unsigned int hooknum, struct sk_buff *skb);



unsigned int

nf_nat_inet_fn(void *priv, struct sk_buff *skb,

	       const struct nf_hook_state *state);



int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family);



static inline int nf_nat_initialized(struct nf_conn *ct,
@@ -22,11 +26,4 @@ static inline int nf_nat_initialized(struct nf_conn *ct, 
		return ct->status & IPS_DST_NAT_DONE;

}



struct nlattr;



extern int

(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,

				  enum nf_nat_manip_type manip,

				  const struct nlattr *attr);



#endif /* _NF_NAT_CORE_H */

include/net/netfilter/nf_nat_l3proto.h

+4 −48
Original line number Diff line number Diff line
@@ -44,58 +44,14 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct, 
				  enum ip_conntrack_info ctinfo,

				  unsigned int hooknum);



unsigned int nf_nat_ipv4_in(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state));



unsigned int nf_nat_ipv4_out(void *priv, struct sk_buff *skb,

			     const struct nf_hook_state *state,

			     unsigned int (*do_chain)(void *priv,

						      struct sk_buff *skb,

						      const struct nf_hook_state *state));



unsigned int nf_nat_ipv4_local_fn(void *priv,

				  struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  unsigned int (*do_chain)(void *priv,

							   struct sk_buff *skb,

							   const struct nf_hook_state *state));



unsigned int nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state));



int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,

				    enum ip_conntrack_info ctinfo,

				    unsigned int hooknum, unsigned int hdrlen);



unsigned int nf_nat_ipv6_in(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state));



unsigned int nf_nat_ipv6_out(void *priv, struct sk_buff *skb,

			     const struct nf_hook_state *state,

			     unsigned int (*do_chain)(void *priv,

						      struct sk_buff *skb,

						      const struct nf_hook_state *state));



unsigned int nf_nat_ipv6_local_fn(void *priv,

				  struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  unsigned int (*do_chain)(void *priv,

							   struct sk_buff *skb,

							   const struct nf_hook_state *state));

int nf_nat_l3proto_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);

void nf_nat_l3proto_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);



unsigned int nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state));

int nf_nat_l3proto_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops);

void nf_nat_l3proto_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops);



#endif /* _NF_NAT_L3PROTO_H */